Telegram acknowledged the attacks on its service in a blog post, but played down their significance. "Certain people" had used its public APIs to check whether Iranian phone numbers were used for its service, and had ascertained this for 15 million accounts, the company said, but the content of the accounts could not be accessed through the API.

Information about which phone numbers are associated with accounts has to be public, otherwise users cannot find and message their friends through the service, the company said on its blog.

Checking phone numbers on such a large scale is no longer possible, though, as within the last year the company has placed limits on such use of its API, it said.

The company is aware that Telegram accounts can be hacked by intercepting SMS confirmation codes, but "this is hardly a new threat," it said. Last year it introduced an optional two-factor verification function combining SMS codes and passwords, and has been encouraging users in certain countries to turn this on if they think that their mobile carrier is intercepting their SMS codes.

"If you do that, there's nothing an attacker can do," the company said.

Anderson welcomed Telegram's API changes, but called for it to publish its security advice in the Farsi language to ensure more Iranian users were aware of the need to use two-factor verification.

If you are in Iran and use the mobile app, there are significant risks from government cooperation with telcos, he said via Twitter.

But combining SMS authentication with passwords is not enough to satisfy everyone. The U.S. National Institute of Standards and Technology is considering dropping SMS from its recommendations as a second authentication factor for securing government IT and communication systems. Last week it began circulating a draft guideline to that effect for public comment.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.